Agile Network Access Control in the Container Age

Cornelius Diekmann, Johannes Naab, Andreas Korsten, Georg Carle

Research output: Contribution to journalArticlepeer-review

18 Scopus citations

Abstract

Linux containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers. In a fictional story, we follow DevOp engineer Alice through the lifecycle of a Web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on. Our toolset is formally verified using Isabell/HOL and is available as an open source.

Original languageEnglish
Article number8584074
Pages (from-to)41-55
Number of pages15
JournalIEEE Transactions on Network and Service Management
Volume16
Issue number1
DOIs
StatePublished - Mar 2019

Keywords

  • Isabelle/HOL
  • Security management
  • access control
  • centralized management
  • container
  • docker
  • firewall
  • formal methods
  • operations & administration
  • policy
  • tools

Fingerprint

Dive into the research topics of 'Agile Network Access Control in the Container Age'. Together they form a unique fingerprint.

Cite this